Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

On Wednesday they outlined a flaw (patched in June by Microsoft) dubbed “Open Sesame” that allowed an adversary to bypass a Windows 10 lock screen using the voice assistant Cortana and unleash a number of “dangerous” functions.

“Adding functionality on a locked screen is a slippery slope… We didn’t think someone looked at the entire system and asked the question, can my computer be hacked by voice?” security researcher Amichai Shulman said. Shulman discovered and broke down “Open Sesame” and other vulnerabilities, along with Tal Be’ery, of Kzen Networks, and Ron Marcovich and Yuval Ron of the Israel Institute of Technology.

Thanks to Cortana’s “universal access methods” – specifically Microsoft Windows 10’s default support for the voice assistant – researchers were able to launch local commands through a locked Windows 10 screen and perform additional risky commands.

The root cause behind “Open Sesame” (CVE-2018-8140) is the fact that the lock screen on Windows 10 devices restricts the keyboard – but allows Cortana invocation through the voice. So once Cortana is invoked, the lock screen no longer restricts it.

Once they exploited the flaw, attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges, researchers said.

Alarmingly, exploitation of this flaw did not involve any external code – making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack, they said.

Part of the issue behind the attack is because the UI on the locked Windows 10 screen now has app functionality even before unlocking – while before that did not exist – the responsibility in securing the system has shifted to developers, researchers said.

“In the past, the OS made sure the UI is not accessible when the computer is locked, and therefore developers did not need to think about it. Now it’s the developers’ responsibility,” said Be’ery.

The researchers reported the vulnerability to Microsoft April 18 (days later McAfee researchers also reported the same bug) and Microsoft issued a patch on June 18.

Going forward, researchers suggested that for the time being users can disable Cortana voice in corporate environments or at least on their locked screens.

“When introducing innovative concepts into existing environments, secure coding is not enough – we need secure system engineering,” said Be’ery.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.